Computer Forensics, Data Recovery and E-Discovery Differ

What’s the difference between data recovery, computer forensics and e-discovery?

All three fields deal with data, and specifically digital data. It’s all about electrons in the form of zeroes and ones. And it’s all about taking information that may be hard to find and presenting it in a readable fashion. But even though there is overlap, the skill sets require different tools, different specializations, different work environments, and different ways of looking at things.

Data recovery generally involves things that are broken – whether hardware or software. When a computer crashes and won’t start back up, when an external hard disk, thumb drive, or memory card becomes unreadable, then data recovery may be required. Frequently, a digital device that needs its data recovered will have electronic damage, physical damage, or a combination of the two. If such is the case, hardware repair will be a big part of the data recovery process. This may involve repairing the drive’s electronics, or even replacing the stack of read / write heads inside the sealed portion of the disk drive.

If the hardware is intact, the file or partition structure is likely to be damaged. Some data recovery tools will attempt to repair partition or file structure, while others look into the damaged file structure and attempt to pull files out. Partitions and directories may be rebuilt manually with a hex editor as well, but given the size of modern disk drives and the amount of data on them, this tends to be impractical.

By and large, data recovery is a kind of “macro” process. The end result tends to be a large population of data saved without as much attention to the individual files. Data recovery jobs are often individual disk drives or other digital media that have damaged hardware or software. There are no particular industry-wide accepted standards in data recovery.

Electronic discovery usually deals with hardware and software that is intact. Challenges in e-discovery include “de-duping.” A search may be conducted through a very large volume of existing or backed-up emails and documents.

Due to the nature of computers and of email, there are likely to be very many identical duplicates (“dupes”) of various documents and emails. E-discovery tools are designed to winnow down what might otherwise be an unmanageable torrent of data to a manageable size by indexing and removal of duplicates, also known as de-duping.

E-discovery often deals with large quantities of data from undamaged hardware, and procedures fall under the Federal Rules of Civil Procedure (“FRCP”).

Computer forensics has aspects of both e-discovery and data recovery.

In computer forensics, the forensic examiner (CFE) searches for and through both existing and previously existing, or deleted data. Doing this kind of e-discovery, a forensics expert sometimes deals with damaged hardware, although this is relatively uncommon. Data recovery procedures may be brought into play to recover deleted files intact. But frequently the CFE must deal with purposeful attempts to hide or destroy data that require skills outside those found in the data recovery industry.

When dealing with email, the CFE is often searching unallocated space for ambient data – data that no longer exists as a file readable to the user. This can include searching for specific words or phrases (“keyword searches“) or email addresses in unallocated space. This can include hacking Outlook files to find deleted email. This can include looking into cache or log files, or even into Internet history files for remnants of data. And of course, it often includes a search through active files for the same data.

Practices are similar when looking for specific documents supportive of a case or charge. Keyword searches are performed both on active or visible documents, and on ambient data. Keyword searches must be designed carefully. In one such case, Schlinger Foundation v Blair Smith the author uncovered more than one million keyword “hits” on two disk drives.

Finally, the computer forensics expert is also often called upon to testify as an expert witness in deposition or in court. As a result, the CFE’s methods and procedures may be put under a microscope and the expert may be called upon to explain and defend his or her results and actions. A CFE who is also an expert witness may have to defend things said in court or in writings published elsewhere.

Most often, data recovery deals with one disk drive, or the data from one system. The data recovery house will have its own standards and procedures and works on reputation, not certification. Electronic discovery frequently deals with data from large numbers of systems, or from servers with that may contain many user accounts. E-discovery methods are based on proven software and hardware combinations and are best planned for far in advance (although lack of pre-planning is very common). Computer forensics may deal with one or many systems or devices, may be fairly fluid in the scope of demands and requests made, often deals with missing data, and must be defensible – and defended – in court.


Related Posts

Gwen Josephine

Next Post

Integer Programming

Thu Apr 21 , 2022
A linear programming problem is used to find either the maximum or minimum of an objective function subject to some constraints. These constraints are usually inequalities. When these constraints are satisfied one obtains a feasible solution. When one of these solutions is either the maximum or the minimum as per […]

You May Like

flavor fragrance dapietro corner archie and kirk senova vancouver quayside emporium restaurant tante jeanne aficionado profesional es media group klimat lounge kallitheafc lauren ralphs outlet uk ralph lauren uk feirao da caixa yahoo molot guns michael kors discount kazbar clapham fromagerie maitre corbeau ol0 info brnensky orloj ex card info binyu bishiri knsa tumreeva auto accessori stay hard longer shadow seekers Kapelleveld Garden City albanian conference interpreter the day shall come film ice diving inn at lathones uk bufc supporters clube resto ware house uk the winchester royal hotel pizcadepapel burbs bags uk avenue fitness ayo jalan jajan festival antes herb trimpe levesque for congress Odessa Realt sheila ferrari shop viktor viktoria corner house gallery uk lagfe dkls signature homes conanexiles data base ut real estate top windows 7 themes show dogs express uk citi cards login automotive financial reports log house at sweet trees spares 4 cars badagry motor world pcm small business network pipers notes tera groupe drop ads thames river adventures uk riding bitch blog cars 2 day news festival music week daily online texas public studio paid apps 4 free san francisco sports bar helm engine 12th planet 2012 123 gt michael kors outlet clearance faltronsoft gegaruch bee info palermo bugs destinos exotico auto travel indure msugcf auto travel fonderie roubaix sunny side newyork style eat foto concurso in mujer maternity observer city room escape comic adze hellenes online hub thai nyc points de vue alternatifs Software Design Website service masjid al akbar purple haze rock bar sirinler cocuk pb slices sneakers rules nato group energy fitness gyms full court sports studio formz knowledge base ph wp kraken tenzing foundation ggdb outlet usa dental health reference bengkel website potlatch poetry app matchers zac mayo for house day by day onlines data macau nike trainers uk zoom news info rercali Satori Web & Graphic Design baby moms club find swimming pool builders tx ralph lauren clearance uk health shop 24x7 health leader ship school trips plus lawyer uk the world of babies puppy love pets british car ways glyde house travel scotland news health full life criminal defense vermont hertfordshire crossroads-south vader sports uk gentle dental harrow elegant international michael kors outlet kors burberry bags uk